Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2598

Ipsec pods restart due to liveness probes fail in cluster with more than 150 +

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • None
    • 4.10
    • Networking / ovn-kubernetes
    • None
    • -
    • Important
    • SDN Sprint 226, SDN Sprint 227
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Liveness probe of ipsec pods fail with large clusters. Currently the command that is executed in the ipsec container is
ovs-appctl -t ovs-monitor-ipsec ipsec/status && ipsec status
The problem is with command "ipsec/status". In clusters with high node count this command will return a list with all the node daemons of the cluster. This means that as the node count raises the completion time of the command raises too.

      This makes the main command 

      ovs-appctl -t ovs-monitor-ipsec

      To hang until the subcommand is finished.

      As the liveness and readiness probe values are hardcoded in the manifest of the ipsec container herehttps//github.com/openshift/cluster-network-operator/blob/9c1181e34316d34db49d573698d2779b008bcc20/bindata/network/ovn-kubernetes/common/ipsec.yaml] the liveness timeout of the container probe of 60 seconds start to be  insufficient as the node count list is growing. This resulted in a cluster with 170 + nodes to have 15+ ipsec pods in a crashloopbackoff state.

      Version-Release number of selected component (if applicable):

      Openshift Container Platform 4.10 but i think the same will be visible to other versions too.

      How reproducible:

      I was not able to reproduce due to an extreamely high amount of resources are needed and i think that there is no point as we have spotted the issue.

      Steps to Reproduce:

      1. Install an Openshift cluster with IPSEC enabled
2. Scale to 170+ nodes or more
3. Notice that the ipsec pods will start getting in a Crashloopbackoff state with failed Liveness/Readiness probes.

      Actual results:

      Ip Sec pods are stuck in a Crashloopbackoff state

      Expected results:

      Ip Sec pods to work normally

      Additional info:

      We have provided a workaround where CVO and CNO operators are scaled to 0 replicas in order for us to be able to increase the liveness probe limit to a value of 600 that recovered the cluster. 
As a next step the customer will try to reduce the node count and restore the default liveness timeout value along with bringing the operators back to see if the cluster will stabilize.

       

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3823 Ipsec pods restart due to liveness probes fail in cluster with more than 150 +

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3824 [4.12] Ipsec pods restart due to liveness probes fail in cluster with more than 150 +

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3823 Ipsec pods restart due to liveness probes fail in cluster with more than 150 +

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3824 [4.12] Ipsec pods restart due to liveness probes fail in cluster with more than 150 +

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. SDN-3607 Add taint mechanism: Ipsec pods restart due to liveness probes fail in cluster with more than 150 +

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          links to

          Web Link BZ Clone

          GitHub openshift/cluster-network-operator#1606: OCPBUGS-2598: ipsec: Run ovs-monitor-ipsec in the foreground and change probes

          Activity

            People

              akaris@redhat.com Andreas Karis
              rhn-support-nstamate Nikolaos Stamatelopoulos
              Anurag Saxena Anurag Saxena
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: